1. Field of the Invention
The present invention relates to a method, a security system and a security device for data processing a security critical activity
2. Description of the Prior Art
Advances in computer and communications technology have increased the flow of information between and within computer networks. This ability to communicate between computers and networks has also made it possible to develop a wide variety of services that can be performed from your own personal computer. Such services may for example be mailing, home shopping, home banking etc. Many of these services comprise security critical activities that have to be performed when the computer is on-line, such as transferring money through Internet.
Performing such security critical activities, is of course a security risk, since also potential intruders can listen to and/or compromise these security critical activities, by breaking into the computer. One of the reasons for this is that the operating systems of personal computers were not designed with security in mind, since they were personal and without connections to any network. Thus, it is easy to use malicious code, Trojan horses or the like to compromise the operating system of a personal computer and thereby the security critical activities executed thereon. Also more secure operating systems, such as Unix, may be compromised with a relatively small effort. Today there is no commercial operating system that protects the user from Trojan horses.
To increase the security of the operating system there has been suggested to provide firewalls between the local network and the public available networks open to any intruders. Such firewalls filter the communication between the local network and the outside world by only allowing certain selected services to pass through. If other services are requested the passing through the firewall will only be enabled if a valid password is presented. The communication then eventually reaches either a personal computer or a server computer inside the local network. This safety measure will of course increase the security, but will still not guarantee that the security critical activities are performed the way the user initially intended. Vulnerabilities in the implementation of the allowed, non-filtered, services may allow an intruder to intrude into the personal computer.
Another possible security measurement is to insert security mechanisms in the operating system, like requiring passwords for access to certain services.
The main reason why the above security mechanisms are not totally safe is that they are software based. Since software always contains bugs, it is corruptible, and may therefore be compromised by exploited security holes, malicious code, resident Trojan horse software etc. Software based security solutions are also too brittle, i.e. if the operating system security is compromised all data and all applications that are executed thereon will also be compromised.
Another common security measure is to use so called xe2x80x9cactive cardsxe2x80x9d, or xe2x80x9csmart cardsxe2x80x9d. These cards contain a small computing device having a processor, a memory and communication ports. Such device may include a secret key, which is used to represent the user""s identity in the networks. The card is used together with a host system, and the host system can ask the card to perform security critical steps in activities with the secret key. The host system cannot read the secret key, it is trapped inside the smart card. The processor on the smart card cannot communicate directly with the user, it has to rely on the host system to relay the communication with the user without any malicious intervention. Hence, a smart card can do very little to protect itself against malicious software in a host system.
In personal computers using smart cards, a compromised application may get the smart card to perform any action it normally can do, without having to involve the user. The smart card can be ordered, by the application, to sign any digital document, and the user is not required to review it, nor to express any explicit act-of-will for the signature to be applied to the document.
One different, but similar approach to increase the operating system security is to build a so called multi level secure (MLS) operating system. Such systems label objects and subjects according to a security classification, and define rules for how information is allowed to flow through the system. The classification of different security levels and the record keeping of which users that have access to different security levels and objects is very time consuming to maintain. Furthermore, conventional personal computer applications are not compatible with the operating systems of the MLS system, and all applications have to be tailor-made for the MLS system. This is of course very costly.
WO94/01821 discloses a trusted path subsystem for workstations, such as personal computers. The system comprises a network computer, which is a MLS computer and a workstation. The object of the invention is to provide safe communication between a trusted subsystem of the MLS computer and the workstation. To solve this problem the workstation is connected to a trusted path subsystem which receives the encrypted data from the trusted system of the MLS computer and decrypts it without involving the workstation.
Thus, the application running on the MLS-system will be certain that the data received will be the same as the data sent from the trusted subsystem of the MLS computer, and vice versa. However, this system is limited to the secure exchange of data between a trusted subsystem of a MLS computer and a network computer, basically tunnelling encrypted keystrokes and pixel writes from the application in the MLS-system to the trusted subsystem in the workstation.
Furthermore, the whole application is executing in a highly secure environment, the MLS system. A lot of effort has been made to make sure that the whole application is secure. However, if the application is compromised, for example by security holes in the application itself, or if the system administrator attacks the application, the trusted subsystem will not guarantee that the application presents the same information on the xe2x80x9csecuredxe2x80x9d screen as is later signed, since it lacks means for user involvement. Thus, there are no requirements for the application to get an act-of-will from the user in order to sign a digital document.
UK patent application GB 2 267 986 discloses a security device for a computer. The object of this security device is to isolate the computer from the input/output devices, such as keyboard and mouse, when security critical activities are to be performed. The security device comprises a processor storing a plurality of programs for operating the security device in either a transparent mode or a special handling mode. In the transparent mode the data inputted from the input/output devices is transmitted through the security device directly to the computer, i.e. the security device is in a passive mode. In the special handling mode the security device itself will perform the processing of the data by executing one of the stored programs without any involvement of the computer.
When the processor of the security device receives a command, that is associated with any of the plurality of programs stored therein, it will start the special handling mode and execute one of the programs The different programs stored in the processor of the security device all define different security critical activities. The program may also in some cases require a password or the like before the security critical activity is executed. As soon as such password is received the program will execute the rest of the security critical activity automatically. New programs to be stored in the security device can be loaded from the computer, without any user involvement in the loading process. Hence, the user can not be certain which steps are performed within the security device after loading a new program. Thus, the application itself may be compromised and since signing a block of data does not require any review or act-of-will from the user it is possible that activities are performed that the user did not initially intend.
Even if this system provides a high degree of security it still has a major drawback, namely it lacks user involvement.
User involvement is an essential part in executing security critical activities if, for example, the task of these activities is to create a legally binding document. In the case where a document is to be signed traditionally, i.e. on paper, it is required that the person signing the paper, firstly can be identified by his signature, secondly reads through and verifies the content of the paper and then thirdly puts his signature on the paper as an act-of-will. Thus, digital signature systems have to be designed to allow the user to perform the same steps when signing a digital document, if it is to be legally binding.
Surprisingly the inventor found that the methods used today for performing security critical activities, as described above, in contrast to this are system-orientated, i.e. the system is expected to perform the security critical activities and only consult the user occasionally with less important tasks.
With system approach is meant that the system or application is able to do whatever the user can do. Thus, such a system is capable to simulate the user. In a system with user approach the user has to be involved in order to perform certain steps, i.e. such steps can not be simulated by the system or application.
Thus, the objective problem to be solved by the present invention is to provide a method, a system and a device for processing security critical activities which is user-orientated and firmly involves the user in performing the security critical activities.
This problem is solved by a method, a system and a device as defined in claims 1, 10 and 15, respectively.
Preferred embodiments of the invention are defined in the dependent claims 2-9, 11-14 and 16.
By using the method according to the present invention the user will be firmly involved every time a security critical activity is to be performed, i.e. the method is user based in contrast to the system based methods in prior art. This approach according to the invention will always guarantee that the user has control over the security critical activity that is being executed on the security system, since an act-of-will of the user is required in order to perform such activities. Furthermore, the method according to the invention provides a secure space in which the security critical activities are processed.
Thus with the method according to the invention it is possible to perform tasks such as signing legally binding documents, sending secret mails, performing payments, loading cash-cards, making secret phone calls etc. in a reliable and secure way by making use of the user involvement steps.
By providing the security system according to the present invention with switching and crypto devices it is possible to encrypt the data from and to the input/output devices and thereby use the already existing lines of the computer to tunnel data to the security device. Thus, the security system can be designed with a minimum of changes to the ordinary computer. The only additional equipment that is needed is, the security device, its connection lines and the switching and crypto devices. Thus, the security system according to the present invention does not need an additional screen in order to create an secure space in which security critical activities can be performed.